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Trends in embedded hardware security 
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• Preventing debug access 

- Fuses, Secure access control 

• Protecting buses and memory components 

- Flash memories with security, DRAM bus scrambling 

• Increase in code integrity 

- Boot loader ROM in CPU, Public key signature checking 

• Objectives: 

- Prevent running unauthorized code 

- Prevent access to confidential information 

> Effective against most “conventional” attacks 
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Towards cryptographic devices 
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• Smart cards represent the ultimate cryptographic device: 

- Operate in a hostile environment 

- Perform cryptographic operations on data 

- Harnessing both the cryptographic operation and the key 

- Tamper resistant 

• General purpose processors are incorporating more and more 
smart card style security 

• Why not use a smart card? 

- Also adds complexity 

- How to communicate securely with it? 

- Some do (PayTV, TPM etc) 
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Side Channel Analysis 
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• What? 

- read ‘hidden’ signals 

• Why? 

- retrieve secrets 

• How? 

- Attack channels 

- Methods 

- Tools 
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Attack Channels 
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• Electro-Magnetic radiation 
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Passive versus active attacks 
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• Passive attacks 

- Only observing the target 

- Possibly modifying it to execute a specific behavior to observe 

- Examples: time, power or EM measurements 

• Active attacks 

- Manipulating the target or its environment outside of its normal 
behavior 

- Uncovering cryptographic keys through ‘fault injection’ 

- Changing program flow (eg. circumvent code integrity checks) 

- Examples: Voltage or clock glitching, laser pulse attacks 



Troopers ’08 


Principle of timing analysis 
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Principle of power analysis 
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Semiconductors use current while 

switching 

Shape of power consumption profile 
reveals activity 

Comparison of profiles reveals 
processes and data 

Power is consumed when switching from 
1^0 or 0^1 
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Principle of electromagnetic analysis 
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• Electric and Magnetic field are related to current 

• Probe is a coil for magnetic field 

• Generally the near field (distance « A) is most suitable 

• Adds dimension position compared to the one dimensional 
power measurement 
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XY table for EM analysis 
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Localization with EM 
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• Scanning chip surface 
with XY table 

• Display intensity per 
frequency 

• Search for optimal location: 

- CPU frequency 

- Crypto engine clock 

- RAM bus driver 
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Demo equipment 
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• CPU: Ti OMAP 5910 150Mhz 
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Simple Power/EM Analysis 
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• Recover information by inspection of single or averaged traces 

• Can also be useful for reverse engineering algorithms and 
implementations 
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Differential Power/EM Analysis 
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• Recover information by inspection difference between traces 
with different (random) inputs 

• Use correlation to retrieve information from noisy signals 
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Data/signal correlation 
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Breaking a key - demo 
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• Example breaking a DES key with a differential attack 

• Starting a measurement 

• Explaining DES analysis 

• Showing results 
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DES 
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16 rounds 

• Input and output are 64 bits 

• Key K is 56 bits 
round keys are 48 bits 

• Cipher function F mixes 
input and round key 
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DPA on DES 
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Simulate DES algorithm based on input bits and 
hypotheses k. 


• Select one S-Box, and one output bit x. Bit x 
depends on only 6 key bits. 


• Calculate differential trace for the 64 different 
values of k. 


• Incorrect guess will show noise, correct guess will 
show peaks. 
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DPA on DES results 
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Countermeasures 
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• Decrease leakage 

- Balance processing of values 

- Limit number of operations per key 

• Increase noise 

- Introduce timing variations in processing 

- Use hardware means 
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Countermeasures concepts 
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• Passive Side channel attacks: 

- Hiding: 

Break relation between processed value and power consumption 

- Masking / Biinding: 

Break relation between algorithmic value and processed value 
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Countermeasure examples 
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• Change the crypto protocol to use key material only for a 
limited amount of operations. For instance, use short lived 
session keys based on a hash of an initial key. 

Example: 

> Perform transaction using (transaction counter^o} 
Ki=SHA256(K^} 

Q > Perform transaction using K, (transaction counter= 1 } 

K2=SHA256(K,} 

l^ 2 y * Perform transaction using (transaction counter= 2 } 

K3=SHA256(I<2) 

K 3 Q > Perform transaction using K 3 (transaction counter=3} 

j K-SHA256(K,,} 

V 

Source: Kocher, P. Design and Validation Strategies for Obtaining Assurance in Countermeasures to Power Analysis and Related Attacks 
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Countermeasure examples 
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default 

random 

random 


Remove any execution time dependence on data and key. Do 
not forget cache timing and branch prediction. Also remove 
conditional execution that depends on the key. 

Randomly insert instructions with no effect on the algorithm. 
Use different instructions that are hard to recognize in a trace 
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Countermeasure examples 
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• Shuffling: Changing the order of independent operations (for 
instance S-box calculations) per round. This reduces correlation 
with a factor equal to the number of shuffled operations 
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• Implement a masked version of the cryptographic algorithm. 
Examples can be found in research literature for common 
algorithms (RSA, AES). 
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SPA attack on RSA 
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RSA implementations 
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• Algorithm for M=c^, with dj is exponent bits (0<i<f) 

- M := 1 

- For / from fdown to 0 do: 

• M := M * M 

• lfdy= 1, then M := M*C 

• Algorithm for M=c^, with d, group of exponent bits {0<i<f) 

- Precompute multipliers C' 

- M := 1 

- For / from f down to 0 do: 

• For y = 1 to groupSize: M := M * M 

• M := M* O 
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Example: RSA message blinding 
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• Normal encryption: M= (y mod n under condition: 

- n = p-q 

- e-d= 1 mod lcm(p-1, q-^) 

• Choose a random r, then C^ = C mod n 

• Perform RSA: mod n = C^r mod n 

• M = mod n 

• During the RSA operation itself the operations with exponent d 
do not depend on C 
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Test and verification 
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• The best way to understand side channel leakage is to measure 
your own implementation 

• Side channels analysis can be performed on a device to assess 
its level of vulnerability to such attacks 

• Such analysis is part of certification processes in the payment 
industry and in Common Criteria evaluations. 

• FIPS 140-3 will require side channel testing for certain levels 
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Countermeasure licensing 
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• DPA attacks were first published by Paul Kocher et al. from 
Cryptography Research, Inc. (CRI) 

• A large range of countermeasures are patented by CRI and 
other companies 

• CRI licenses the use of them 

• The patents give a good idea of possible countermeasures, 
check with CRI 
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Conclusions 
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• With the increase of security features in embedded devices the 
importance of side channel attacks will also increase 

• Most of these devices with advanced security features do not 
yet contain hardware countermeasures against side channel 
attacks 

• Side channel attacks present a serious threat with wide range 
of possibilities and a large impact 

• Still, software developers can reduce the risks of side channel 
attacks by securing their implementations with software 
countermeasures 
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